Accessing Computer
Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? I am not good at explaining things, so I hope you understand what I am referring to. -- Carmel car...@hotmail.com For every complex problem there is an answer that is clear, simple, and wrong. Mencken, H. L. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
In response to Carmel carmel...@hotmail.com: Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? You could prevent ssh connections from 2 - 3 on port 22 via firewall. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On Fri, 8 Jan 2010 08:12:28 -0500 Bill Moran wmo...@potentialtech.com articulated: In response to Carmel carmel...@hotmail.com: Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? You could prevent ssh connections from 2 - 3 on port 22 via firewall. I am not sure if I am following you correctly. I frequently access computer 3 from computer 2. If I block port 22 I will have to use another on, correct? If I do enable another one, what is to prevent a user on computer 1 from accessing computer 2 and then on to computer 3? What I want to accomplish is making it impossible to access computer 3 from other than computer 2 and then only if computer two is not being used as a slave from computer 1, or any other computer for that matter. Probably what I want cannot be implemented; however, I thought I would ask anyway. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On 08/01/2010 12:50, Carmel wrote: Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? I am not good at explaining things, so I hope you understand what I am referring to. I would suggest protecting your keys with a passphrase, then the key alone is not enough to gain access to the machines. Simply put - in order for someone to access computer 3 from computer 2, would be for computer 3 to have computer 2's public key. So if computer 2's private key can be accessed from computer 1, then yes access to computer 3 could be granted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On Fri, 08 Jan 2010 13:05:45 + Daniel Grant dan...@nullroutes.com articulated: I would suggest protecting your keys with a passphrase, then the key alone is not enough to gain access to the machines. Simply put - in order for someone to access computer 3 from computer 2, would be for computer 3 to have computer 2's public key. So if computer 2's private key can be accessed from computer 1, then yes access to computer 3 could be granted. That is what I have considered doing. The problem is that I will have to remember the password. I tend to use different passwords for different things. I therefore have a bad habit of forgetting the password. In any case, I will probably be forced to go that route thought. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On Friday 08 January 2010 13:50:10 Carmel wrote: Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? I am not good at explaining things, so I hope you understand what I am referring to. You might want to take a look at ssh-agent. I think PuTTY has an equivalent. It lets you do remote logins without putting your key(s) everywhere. I've not yet tried this myself, but I plan on testing it sometime. - Pieter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On Fri, 8 Jan 2010 14:58:23 +0100 Pieter de Goeje pie...@service2media.com articulated: You might want to take a look at ssh-agent. I think PuTTY has an equivalent. It lets you do remote logins without putting your key(s) everywhere. I've not yet tried this myself, but I plan on testing it sometime. I use agent. All that agent does is cache your password so you do not have to re-enter it each time you make a connection. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
Carmel carmel...@hotmail.com writes: On Fri, 8 Jan 2010 14:58:23 +0100 Pieter de Goeje pie...@service2media.com articulated: You might want to take a look at ssh-agent. I think PuTTY has an equivalent. It lets you do remote logins without putting your key(s) everywhere. I've not yet tried this myself, but I plan on testing it sometime. I use agent. All that agent does is cache your password so you do not have to re-enter it each time you make a connection. The agent can be forwarded with the connection. In your case, it would remove the need for a second key on the second machine. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
On Fri, 08 Jan 2010 10:13:52 -0500 Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org articulated: Carmel carmel...@hotmail.com writes: On Fri, 8 Jan 2010 14:58:23 +0100 Pieter de Goeje pie...@service2media.com articulated: You might want to take a look at ssh-agent. I think PuTTY has an equivalent. It lets you do remote logins without putting your key(s) everywhere. I've not yet tried this myself, but I plan on testing it sometime. I use agent. All that agent does is cache your password so you do not have to re-enter it each time you make a connection. The agent can be forwarded with the connection. In your case, it would remove the need for a second key on the second machine. I was not aware of that. I will have to read up on how to accomplish it. Thanks! -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Accessing Computer
Carmel wrote: On Fri, 8 Jan 2010 08:12:28 -0500 Bill Moran wmo...@potentialtech.com articulated: In response to Carmel carmel...@hotmail.com: Assume three computers. Computer 1 runs Windows with Putty installed Computer 2 3 run FreeBSD Computer 1 runs Putty and creates a key that is installed on computer 2. Computer 2 has a key that is installed on computer 3. If someone were to use computer 1 via Putty to access computer 2, would they then be able to access computer 3? If so, how could I prevent it from happening? You could prevent ssh connections from 2 - 3 on port 22 via firewall. I am not sure if I am following you correctly. I frequently access computer 3 from computer 2. If I block port 22 I will have to use another on, correct? If I do enable another one, what is to prevent a user on computer 1 from accessing computer 2 and then on to computer 3? What I want to accomplish is making it impossible to access computer 3 from other than computer 2 and then only if computer two is not being used as a slave from computer 1, or any other computer for that matter. In order to do this, you'ld have to have a private key stored on Computer 2. Unfortunately, if you or anyone authorised to use that key pair logs into Computer 2 they can then use that key to ssh into Computer 3 irrespective of whether they logged in over the network, or on Computer 2's console. Probably what I want cannot be implemented; however, I thought I would ask anyway. I don't think it can. But the big 'if' in my statement above is 'authorized to use the private key' -- or in other words they know the passphrase there. Just don't tell the user from Computer 1 the passphrase to the key on Computer 2 and you will achieve the desired effect. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Accessing Computer
Carmel wrote: On Fri, 08 Jan 2010 10:13:52 -0500 Lowell Gilbert freebsd-questions-lo...@be-well.ilk.org articulated: Carmel carmel...@hotmail.com writes: On Fri, 8 Jan 2010 14:58:23 +0100 Pieter de Goeje pie...@service2media.com articulated: You might want to take a look at ssh-agent. I think PuTTY has an equivalent. It lets you do remote logins without putting your key(s) everywhere. I've not yet tried this myself, but I plan on testing it sometime. I use agent. All that agent does is cache your password so you do not have to re-enter it each time you make a connection. The agent can be forwarded with the connection. In your case, it would remove the need for a second key on the second machine. I was not aware of that. I will have to read up on how to accomplish it. You just put the public key from Computer 1 in ~/.ssh/authorized_keys on both the machines (Computer 2, Computer 3) where you want access. You'll have to use 'ssh-keygen -i -f filename' to convert the pubkey from the SSH2 format Putty uses to the OpenSSH format FreeBSD uses, and you need to be careful to make the authorized_keys file writable only by the account UID. You can prepend the line in the authorized_keys files with from=hostname to only permit access from a specific host if you like. See the section 'AUTHORIZED_KEYS FILE FORMAT' in sshd(8) for details. You don't need to install any private keys on Computer 2 or Computer 3. Then when you load the key into the agent, be sure and check the 'Forward the Agent' tickbox. Similarly, when you connect from computer 2 to computer 3 just add '-A' to the ssh command line, as in: 'ssh -A computer3' -- this achieves the same agent forwarding under OpenSSH. Computer 3 will ask computer 2 for authentication, and computer 2 will relay this request back to computer 1 where there is access to your private key. You can hop through a large number of machines this way, and so long as you keep forwarding the agent it should all work. Cheers, Matthew Note that pageant, or ssh-agent (which is the FreeBSD equivalent) doesn't cache the passphrase. It stores a decrypted copy of your private key in memory. Don't leave the agent running on an unattended machine that anyone else can access. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Accessing Computer
On Fri, 08 Jan 2010 16:13:34 + Matthew Seaman m.sea...@infracaninophile.co.uk articulated: You just put the public key from Computer 1 in ~/.ssh/authorized_keys on both the machines (Computer 2, Computer 3) where you want access. You'll have to use 'ssh-keygen -i -f filename' to convert the pubkey from the SSH2 format Putty uses to the OpenSSH format FreeBSD uses, and you need to be careful to make the authorized_keys file writable only by the account UID. You can prepend the line in the authorized_keys files with from=hostname to only permit access from a specific host if you like. See the section 'AUTHORIZED_KEYS FILE FORMAT' in sshd(8) for details. You don't need to install any private keys on Computer 2 or Computer 3. Then when you load the key into the agent, be sure and check the 'Forward the Agent' tickbox. Similarly, when you connect from computer 2 to computer 3 just add '-A' to the ssh command line, as in: 'ssh -A computer3' -- this achieves the same agent forwarding under OpenSSH. Computer 3 will ask computer 2 for authentication, and computer 2 will relay this request back to computer 1 where there is access to your private key. You can hop through a large number of machines this way, and so long as you keep forwarding the agent it should all work. Thank you very much. I had no idea that was possible. -- Carmel carmel...@hotmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org